Cisco are slowly moving away from the traditional method of manual license management and activation, newer devices utilise a feature called Smart Licensing to help manage, register and activate Cisco network devices. This is achieved ultimately by allowing the network device to communicate to the Cisco Cloud and “Call Home”.
Smart Licensing is linked to a Cisco domain ID which is used by suppliers when placing orders for network equipment from Cisco, this allows Cisco to provide kit ownership information, licenses and activation in one place.
The first step for any organisation is to register for a “Smart Account” this can be done very easily using a team/individual CCO account
The process on how to do this is outlined in the following link: https://www.cisco.com/c/en/us/support/docs/smb/cloud-and-systems-management/network-automation-and-management/smb5489-how-to-request-a-smart-account.html
Once you have a smart account, and have purchased some Cisco kit, these devices would require activation using Cisco Smart Software Manager (CSSM) this is the Could manager which is accessed via the Cisco portal.
Organisations can use this portal to register and manage all devices, licenses and ownership information. There are two types of accounts in CSSM, these are the following:
- Smart Account: This is the main account that is used by suppliers using a “Domain ID” to assign licenses to your account, this is normally in the form of a domain name such as xyz.com. An organisation can have multiple “Smart Accounts” however its not recommended, you cannot transfer licenses from one smart account to another once it has been assigned.
- Virtual Account – this is more like a virtual directory that you create to assign licenses to, it is used to organise licenses into categories and is optional. It allows easier management and can be used with tags to identify location, license type, device model etc. Every “Smart Account” will have a one “Virtual Account” this is known as the “DEFAULT” virtual account and this is where all licenses are stored when they are first purchased. An organisation can have multiple virtual accounts.
In the steps below we will look at the standard process for assigning a license to a device using CSSM
Step 1. To verify a license has been issued, within CSSM you can navigate to “Smart Software licensing” – “Inventory”
Under “DEFAULT” select “Licenses”.
We can see that there are two licenses for a 9200 series 48 port switch, one is the Network Essentials license and other is a DNA Essentials license, both for the same device.
Step 2. To register a device and utilise the purchased licenses, you would click the “General” tab and select “New Token”
At the “Create Registration Token” provide a description and click “Create Token”. For additional security, you can set parameters for the token such as when you want it to expire, how many uses etc. but essentially this single token can be used to register all your devices within the time limit specified. Click “Create Token”
Once the token is generated, it will appear under the “Token” field. Select “Actions” and click “Copy”. The token will now be copied to the clipboard ready to paste into the configuration of a device to allow it to register.
Step 3. On the device to be registered and activated, let’s check the license status
#show license status
We can see the switch is enabled for Smart Licensing however the registration status is “UNREGISTERED” and the license is in Evaluation mode
Assuming the device is correctly configured, and we have connectivity to reach CSSM on the public internet on TCP port 443, the device will “Call-Home” using a pre-configured profile called “CiscoTAC-1”
To register the device, we can simply use the following command and paste in our token that we copied earlier:
#license smart register idtoken “paste token here”
If we check the status once more, we can see if the device has registered correctly.
#show license status
From the output above, we can see the following:
- The device is now “REGISTERED” the Smart Account that was used to register the device is “XYZ COMPANY”.
- As the “Token” was used from the “DEFAULT” Virtual Account the license has also been picked from the container “DEFAULT”.
- The initial registration “SUCCEEDED” and the status for License Authorization is now “AUTHORIZED”.
- We also have “Sending hostname” enabled by default – this allows us to see the hostname of the device in CSSM.
Step 4. Let’s verify the license has been correctly assigned, navigate to “Smart Software Licensing” – “Inventory” – “Licenses”,
We can see that both licenses are in use, and the balance is now 0. If we click on the “Product Instances” tab we can see which device has occupied the licence.
As sending hostname is enabled, the device information will include the hostname – this is optional but some good visibility as to which device is assigned to which license pool.
When it comes to flexibility, there are several options for allowing network devices to communicate with the CSSM, these are the following:
- Direct cloud access: In direct cloud access connection method, Cisco products send usage information directly over the internet to Cisco.com; no additional components are needed for the connection. As already discussed above.
- Access through a HTTPs proxy: In Access through a HTTPs proxy connection method, Cisco products send usage information over the internet through a proxy server – either a Call Home Transport Gateway or off-the-shelf Proxy (such as Apache) to Cisco.com.
- On-premises License Server : In an on-premises license server method, Cisco products send usage information to a locally connected collector, which acts as a local license authority. Periodically, the information is exchanged to keep the databases in synchronization.
With option 1, this may be convenient for small business that have a few devices to manage, they simply allow each device to talk outbound on HTTPS and connect to CSSM, they would generate a token in CSSM under the “Virtual Account” they want to use and on the end device configure it so it authenticates the token and registers the device.
With mid-size to larger organisations who have 10’s, 100’s or 1000’s of devices along side firewalls and access control, option 1 may be a challenge from an implementations point of view and also from a security posture. Potentially the devices would use the management interface to talk outbound to CSSM and that could require a series of changes on the network including ACLs and NAT to ensure the communication is secure. Due to these reasons and for additional security, organisations may want to utilise option 2 or 3. For organisations that require high security, option 3 would be best suited.
In this step-by-step guide we will look at deploying option 3 using an on-premise Satellite device also known as SSM.
Option 3 is suitable for most organisations as it addresses the following:
- All network devices look to a local (internal) device for registration and activation requirements
- Traffic sourced from the L3 address of the device (used for Management) doesn’t require public internet access and never leaves the internal/DMZ parts of the network.
- Activation of licenses can take place locally (even if the there is no internet connectivity)
- Communication is secured internally and externally using SSL
- Synchronization of data occurs periodically, bandwidth requirements are minimal
- Flexibility in future deployment and upgrades of network devices
Once SSM is installed we will register the device by creating two Local Accounts, one will be a local “Smart” account and the second will be a local “Virtual Account”, this is very similar to CSSM however they belong to SSM. We can then transfer the licence we have issued earlier to the local device and re-register the switch once more. In the future we can simply move licences to the local SSM server as required and register new devices directly to SSM.
The Cisco Smart software satellite will sit within the internal part of the network, all network devices would register and perform activation directly to this device. No individual ACLS will be required from the network devices as the traffic will remain within the internal parts of the network, if devices from the DMZ are required to perform activation to this device you can group the devices and create an inbound access list on any firewalls. For simplicity in this example we are not using a DMZ, and we wont configure the firewall ACL’s, we will assume this is already setup.
The Cisco Smart Software satellite will communicate directly to Cisco cloud to perform synchronization of the database. This will require outbound ACLs on the firewalls to allow TCP 443 from the SSM device to Cisco.com
Lets get started!
Step 1. The satellite device is available in the form of an .ISO file to be deployed virtually within ESXI.
Download the Smart Software Satellite .ISO file from the URL below and upload it to a datastore within the ESXI environment.
Step 2. Build a new VM with the following minimum or recommended specs,
Within vSphere right Click the host and select “New Virtual Machine”
Select “Custom” and click “Next”
Give the VM a meaningful name and click “Next”
Select the host the VM will utilise the resources from and click “Next”
Select the storage location of the VM and click “Next”
Select “Virtual Machine Version: 11” click “Next”
Select “Linux” and “CentOS 4/5/6/7 (64bit)” and click “Next”. Note that version 7 is a requirement for this VM and anything below this version may not be compatible.
Select “2” for “Number of virtual sockets” and “2” for the “Number of cores per socket”. Click “Next”
Specify “8GB” memory for the VM and click “Next”
Note that two NICs can be used in the instance that traffic separation is required, 1 NIC would be assigned for Management and another for Data. In this example deployment 1 NIC will suffice. Select “1” and assign the correct VLAN to that NIC. The NIC type should be “VMXNET3”, click “Next”
Select “LSI Logic Parallel” and click “Next”
Select “Create a new virtual disk” click “Next”
specify the required size for the disk and select “Thick Provision Lazy Zeroed”, click “Next”
Select “SCSI (0:0)” click “Next”
Review the summary and click “Finish”
Step 3. Once the VM has been created, right click the device and select “Edit Settings”
Select “CD/DVD drive 1” tick “Connected” and “Connect at power on”, select “Datastore ISO File” and browse for the .ISO downloaded earlier. Click “OK”
Right click the VM once more and select “Open Console”
Power on the VM, at the boot menu select “Install Cisco SSM On-Prem”
Step 4. At the configuration menu, specify a host name, IP address and DNS information, the rest of the settings can remain as default. Click “OK”
At the prompt specify a strong password. Click “OK”
The installation will continue….. this can take some time…
Step 5. Once the installation is complete, the login prompt will be displayed. Sometimes there can be connectivity issues therefore at this stage It is recommended to dismount the ISO file from the VM, login and reboot the device.
Step 6. Once the device has been rebooted, navigate to the following URL to access the “Administration Portal”
Select “Advanced” and click “Proceed to 192.168.10.30 (unsafe)”
At the “Administration Portal” at first logon use the default username and password. Note that this is different to the console password setup earlier.
Select the preferred language and click “Next”
Specify a new password for the account, click “Next”
Review the information and click “Apply”
Once the changes have been applied, you will re-directed back to the login page. Log back in using the new password.
Step 7. From the administration dashboard the device can now be managed and configured further if required. In order to start using the device we first need to create a local “Smart” account and register it with CSSM, with this we will also create a virtual account. Click “Accounts”
at the new window select “New Account”
Specify the following details
Account Name: Smart-On-Prem-Account – this is the name of the local account on this device and can be anything
Cisco Smart Account: XYZ COMPANY – this is name of the Smart account in CSSM, this must match
Cisco Virtual Account: Local-Virtual Account – this is the name of a local virtual account and can be anything, this cant conflict with a virtual account that already exists in CSSM
Email for Notification: – this is the email address used to notification
The account request has now been submitted and requires approval. At the confirmation message click “OK”
Still under “Accounts” click the “Accounts Requests” tab, we can see that the request is listed here, and the status is currently “Pending” click the “Actions” button and select “Approve”
At the popup window login using the Cisco CCO credentials for the team/individual. And click “Submit”.
The device will now pull information from CSSM and provide it for review, once the details are correct click “Next”
The device will begin its registration process
Once the registration process is complete, we can confirm the status by clicking the “Accounts” tab the “Account Status” should specify it is now “Active”
Step 8. Lets now validate the local account is visible within CSSM, navigate to “Cisco Software Licensing” – “On-Prem Accounts”
We can see that the account is now registered
Click the account for further details, in the “General” tab we can see that name of the local account on SSM.
Under the “Virtual Accounts” tab we can see that “Local-Virtual-Account” is being picked up CSSM which is local to SSM.
Under the “Event log” tab we can see that the event of the registration
Now that the On-Prem Satellite device (SSM) is registered we can transfer licenses from CSSM using the virtual account we created “Local-virtual-Account” and then using SSM we can pick them up and register our devices.
We previously assigned a set of licenses to a switch using CSSM, we can move these licenses into SSM, re-configure the switch to talk to SSM instead of CSSM and then re-register the device.
Step 9. Within CSSM, let’s look back at the license that we used earlier to register the switch. Navigate to “Smart Software Licensing” – under the virtual account “DEFAULT” select “Inventory”.
We can see that the licenses are in use,
Tick both Licenses and click “Available Actions”
Select the destination virtual account to transfer the licenses to, in this case it’s the “Local-Virtual-Account”
Specify the quantity of licenses to transfer and click “Transfer”
Navigate to the “Local-Virtual-Account” and now these licenses should be visible here, also note that the “In Use” column has now changed to 0 for both licenses. As the licenses were transferred to a local virtual account, they are no longer considered in use. This is how CSSM will display this information
Step 10. Within the SSM Administration portal, click “Synchronization” and select “Actions” and click “Full Synchronization Now”, this will pull the information from CSSM.
At the prompt login using the team/individual CCO account and click “OK”
Wait for the synchronization to take place, this normally completes within a minute, once complete the status will show “Synchronization Successful” If you do get any errors at this stage ensure that any firewalls in place are not blocking the https traffic outbound to Cisco.com from the local SSM satellite device.
Step 11. Navigate to the local licensing portal using the following URL:
Login and click “Manage Smart Account” note that the page looks similar to CSSM.
Under “Account Properties” we can see the account information for the local “Smart Account” the status is active, the account name is “Smart-OnPrem-Account”
Click “ Virtual Accounts”, here we can see an account called “DEFAULT” this is the “Local-Virtual-Account” that we created earlier. “Local-Virtual-Account” within CSSM maps to “DEFAULT” within SSM”. To avoid confusion you can rename this to match the name in CSSM. Any licenses that we place inside “local-Virtual-Account” within CSSM will appear here.
Lets create a few virtual accounts so that we can organise our licenses, I would like to separate corporate devices from public devices
click “New Virtual Account”
Give the account a meaningful name, click “Save”
Create another, give it a name and description, click “Save”
The newly created virtual accounts should now be listed. Navigate back to the main screen on the licensing portal, click “Smart Software Manager On-Prem”
Step 12. Click “Smart licensing”
Navigate to “Inventory” and select the “DEFAULT” virtual account, we should see the licenses we transferred earlier from CSSM. Lets now transfer these licenses into one of our newly created virtual accounts. Tick the licenses and select “Actions”
Select the destination virtual account to transfer to, in this case I would like to transfer this to the “Corporate Network Devices” virtual account.
Specify the quantity and click “Transfer”
If we navigate to the “Corporate Network Devices” virtual account we should see the licenses in that container.
Step 13. Lets now generate a token from this container, configure the switch and re-register the device.
From the “General” tab, click “New Token”
Give the Token a name and click “Create Token”
Select the token, under “Actions” click “Copy” and copy the token into the clipboard.
Step 14. On the switch lets disable the default call home profile and configure a new profile to point to the local SSM. Note that only one profile is allowed to be active at one time. To disable the default profile, issue the following: –
If we take a look at the status of the default profile “CiscoTAC-1” this should now be inactive
Configure a new profile and point it to SSM using the following:
(config)#call-home – we want to configure call-home
(cfg-call-home)#no http secure server-identity-check – we don’t want to verify the identity of the CSSM server, this sometimes can cause issues as the self signed certificate applied to SSM wont match the CN.
(cfg-call-home)#profile On-Prem-Call-Home – name of the new profile
(cfg-call-home-profile)#reporting smart-licensing-data – send licensing data
(cfg-call-home-profile)#destination transport-method http – use http/s as a transport method
(cfg-call-home-profile)#destination address http https://192.168.10.30:443/Transportgateway/services/DeviceRequestHandler – Point to On-Prem SSM
cfg-call-home-profile)#destination preferred-msg-format xml – use XML as the format
(cfg-call-home-profile)#active – make this profile active
(config)#ip http client source-interface vlan 781 – initiate the connection using this source SVI
(config)#crypto pki trustpoint SLA-TrustPoint – generate a self signed Certificate
(ca-trustpoint)#revocation-check none – don’t check for revocation
Check the new profile is active
On the switch, as the device was previously registered using CSSM, we will need to de-register it and then re-register again for SSM to pick it up.
#license smart deregister
#licence smart register idtoken “paste token here”
Lets check the status of the registration
#show license status
From the output above, we can see the following:
- The device is now “REGISTERED” the Smart Account that was used to register the device is “Smart-On-Prem-Account”.
- As the token was used from the “Corporate Network Devices” Virtual Account the license has also been picked from the container.
- The initial registration “SUCCEEDED” and the status for License Authorization is now “AUTHORIZED”.
- We also have “Sending hostname” enabled by default – this allows us to see the hostname of the device in SSM.
Step 15. Navigate to the virtual account “Corporate Network Devices” within SSM, and under “Licenses” we should see the “In use” column now display the licenses are in use.
If we click the “Product Instances” tab we should see the host name of the device and the product type.
Registered devices will now continue to check in with SSM once a month, the synchronization process is currently setup as manual however a scheduled job can be run to ensure the database is synced regularly. If any new licenses are issued with CSSM, it will be a good idea to transfer these to the local virtual account and run a manual sync to pick up in SSM.